MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 552fba4dc6da172a89fa1598a1bd3c62ad0ae663faf6548987999f3649144d2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 17

Intelligence 17 IOCs YARA 8 File information Comments

SHA256 hash:	552fba4dc6da172a89fa1598a1bd3c62ad0ae663faf6548987999f3649144d2b
SHA3-384 hash:	488b89af8058abf49a6c5a1f7db1b4b3d3a2477e7b5276e59340dec9a632ac8bbf284eff10ae9aaa836423a93de673de
SHA1 hash:	83ac3d4c91f79ebcfe0a216b069c4e5653bc13f9
MD5 hash:	0b3392b5fb32e3f4bc370d033d669d89
humanhash:	paris-romeo-whiskey-mirror
File name:	file.exe
Download:	download sample
Signature	Vidar Create hunting rule
File size:	318'976 bytes
First seen:	2023-05-09 00:08:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8effd33c0c7d3209e4d0dde05803b13b (7 x Smoke Loader, 6 x Amadey, 4 x Vidar)
ssdeep	6144:x+gQlK1IptSjtNNvS2CfdDGOUfREi9ic:x+gQA1yWlCVd2RjY
Threatray	83 similar samples on MalwareBazaar
TLSH	T17864F122F6A1C072D017457498F1DBB46ABFBC92A654818B7368276F2E313C197B730E
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00904a22a2828200 (1 x Vidar)
Reporter	Chainskilabs
Tags:	exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file.exe

Verdict:

Malicious activity

Analysis date:

2023-05-09 00:10:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3bd948dc-481d-4f64-ac4b-a6efac88807d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/387618/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Behavior that indicates a threat

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/83120/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64598f1f6f254f9636e3c143/reports/86ab9170-5607-491b-8342-77afa40027fa/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/552fba4dc6da172a89fa1598a1bd3c62ad0ae663faf6548987999f3649144d2b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/66a0b930-1c69-4bd0-994c-4195558ab8d4

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1228757

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/552fba4dc6da172a89fa1598a1bd3c62ad0ae663faf6548987999f3649144d2b/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-04-09 04:00:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 37 (89.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kux3utog3ilsvcp2cwmkdpj4mkwqvztd7l3fjcmhtgptmsiujuvq._file

Verdict:

malicious

Vidar

558da56234404dd337be2a22e2493aa6c140b7688e58a17236dc95da0e5162eb

Vidar

836521d8320c827021abd8da5243f5b8b54143b02a5a48633d7ff3e1dfe7a2cb

Vidar

8e517eff9f5660d37b9eea72e56a3133e85889a36f7ffea1b11a1e31f8baf001

Vidar

9d32dcd66ddeff3c376b08f6c76d28a3b577eebc2f0d8b9ba1781109ec3d6c62

Vidar

c6dd25dcabf4bcb343f25f084c237b432d2f1aef3600129f6f784cd2969645e6

Vidar

c73c5027ec11576250105ea0664c33a51f3a19901c6bcbfd84d88c94f3482435

Vidar

e814d34a0eb17347413d34653b7fca514c931eb1a5317012fe44d54c09617fd4

Vidar

+ 73 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:8eb820ddf1aebfd9fcdae0b7decef98a spyware stealer

Link:

https://tria.ge/reports/230509-affz1sdd97/

Behaviour

Modifies system certificate store

Program crash

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199492257783
https://t.me/justsometg

Unpacked files

SH256 hash:

6571a06f2d02b16984f24783a80ab7fc41a03fd8b91031a344338f13f726ad7f

MD5 hash:

cd874c9328bcb20f8f38d731da3c59e4

SHA1 hash:

64eac5ce7116edf5f31e4315c90356a551c91ae0

Detections:

VidarStealer

Link:

https://www.unpac.me/results/f1ab52b8-e76e-417f-b1c0-d215b8789783/

Parent samples :

552fba4dc6da172a89fa1598a1bd3c62ad0ae663faf6548987999f3649144d2b
32bc8648c499ce2115cc18b912b59a64a1869f23102a06ac18c70c70be9385a3

SH256 hash:

552fba4dc6da172a89fa1598a1bd3c62ad0ae663faf6548987999f3649144d2b

MD5 hash:

0b3392b5fb32e3f4bc370d033d669d89

SHA1 hash:

83ac3d4c91f79ebcfe0a216b069c4e5653bc13f9

Link:

https://www.unpac.me/results/f1ab52b8-e76e-417f-b1c0-d215b8789783/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/552fba4dc6da/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/552fba4dc6da172a89fa1598a1bd3c62ad0ae663faf6548987999f3649144d2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_vidar_a_6118 Create hunting rule
Author:	Johannes Bader
Description:	detect unpacked Vidar samples

Rule name:	win_vidar_a_a901 Create hunting rule
Author:	Johannes Bader
Description:	detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

exe 552fba4dc6da172a89fa1598a1bd3c62ad0ae663faf6548987999f3649144d2b

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/387618/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample